A Good Endpoint

Visibility is a good way to start to achieve success in the age of IoT

By Richard Henderson

May 01, 2018

Most of the malicious or criminal activity targeting
today’s enterprises involves the endpoint. Insecure
endpoints are an expensive risk and difficult to address.
As the number of devices with IP connectivity
continues to rapidly grow, it gives organizations a
new class of dim and dark endpoints to worry about. Research predicts
that the B2B IoT segments will generate more than $300 billion
annually by 2020.

As enterprise markets invest in IoT, privacy and security concerns
loom as they relate to IoT deployments and vulnerability exploitation.
Regulatory standards are also lacking. Leading industry voices
like cryptographer and author Bruce Schneier are calling for government
regulation, as it could be the only solution that could impose
required security standards on IoT devices.

No Time to Wait

Effective asset and vulnerability management is critical to maintaining
visibility. The effort cannot stop at desktops and laptops. The simple
reality today is that organizations need to monitor anything with
an IP address that connects to their network resources: smartphones,
tablets, IoT devices, and other employee-owned devices (like personal
“smart” devices) should all be monitored. The end goal should be
to collect and process telemetry from everything. Of course, there
are privacy concerns that organizations should be cognizant of when
collecting and analyzing this data, and depending on where you are,
that can be a whole other challenge to consider.

Still, organizations report facing significant struggles with blind
spots in their network activity, with non-corporate devices and user
behavior being their top challenges according to this ESG report.
If visibility into your infrastructure is narrow and shallow, any risk
calculations you make will almost always be a shot in the dark and
ultimately inaccurate, leading to some tough questions by the powers-
that-be after a significant incident happens. You must be able to
identify each device, its current status and state, and the state of all
the applications residing on the device, if any.

Here are five best practices that organizations should consider in
order to get a better picture of the current state of their infrastructure
and improve their endpoint security posture in the age of IoT.

Make sure the most critical assets are covered. If you’re not currently
using a modern solution to collect, scrub, analyze, and respond
to anomalous log events, then start small—focus on building solutions
that target your most critical assets: devices belonging to Csuite
executives and their assistants, your privileged accounts and
devices belonging to your administrators, and your various system
accounts that often have credentials that seldom (or never) change.
Start there and expand as time, resources and budgets allow.

Monitor application health. Direct threats to IoT aside, you should
also consider having a method to actively monitor the health of applications.
If there is an incident or vulnerability, you need to be alerted
so that you can respond to it. Think of the process like a checklist: is
my endpoint security software still functioning? Can I access specific
URLs that malware may try to prevent me from accessing? Have I
verified my CPU usage for any odd behaviors that may indicate cryptomining
or other resource-based attacks? Can my device connect to
the network? If you can’t check off all of these items, that might be a
sign of a malware infection or cyberattack, or of a potential vulnerability
in the device’s software.

Monitor device traffic. Keeping an eye on device traffic is imperative
in the age of IoT. Devices and applications interact with each other
in a sort of pattern—maybe you take your fitness tracker with you on a
run most mornings, use your smart coffee machine at work every day,
or make weekly conference calls from your smartphone. The reality
today is some traffic increases should be expected with so much more
emphasis on smart devices. But it’s important to watch for things like
a massive spike in traffic volume from one of these devices, that device
could be malfunctioning at best, or it’s being used to exfiltrate data or
participate in a botnet or DDoS at worst. In the context of an organization’s
network, this could also point to an employee who is maliciously
exfiltrating the data themselves. Awareness of all the devices in
an employee’s network, including personal devices, is essential—without
full visibility, malicious traffic could go unnoticed.

Combine passive and active scanning in your asset management
strategy. Your asset management strategy should include a focus on
both actively and passively scanning devices—passive scanning is designed
to watch your traffic flows to identify active devices, and active
scanning is centered around overtly probing your network looking
for previously unseen, dormant or idle devices. When you put the two
together, you’ll have a much better picture as to the current state of
your infrastructure. This can really help in identifying rogue devices
that someone has connected to your network somewhere or IoT devices
that aren’t constantly sending data through your network.

Patch early and often. With a plethora of IoT devices in circulation,
encountering vulnerability somewhere in your network is almost
inevitable. If vulnerability is discovered, the best course of action is to
patch your devices early and often. It’s possible that some of the IoT
devices you deploy won’t get patches though, or won’t receive timely
patches. Unlike companies and organizations who issue patches frequently,
some device manufacturers either lack the technical skill or
have the resources to provide long-term support of IoT devices. For
manufacturers that do provide regular updates, patches fill the holes
in your network and protect your endpoint, which is important for
maintaining good security posture. However, you have to make sure
you have the ability to push patches to all devices.

If you have blind spots in your network (like devices that have
been turned off or not connected for long periods of time), then some
devices will be left unpatched and serve as easy targets for attackers.
It only takes one weak entry point for a hacker to gain access to
private data. And for those devices that don’t—or can’t—be patched,
you must use other methods to protect your infrastructure. Microsegmentation
of those device clouds, locked-down static routing, and
dedicated subnetworks with their own industrial-focused firewall devices
should all be considered as other security options when patching
just simply isn’t possible.

Best practices like these help to counter the existence—and fear
of—IoT risk, which is partially due to a lack of visibility. One of the
keys to combating that fear, and lighting up this new class of dim and
dark endpoints, better understands all of the sources of risk that live
in your environment.

Once organizations are able to identify all the
pieces that form their network, they are one step
closer to designing a well-thought out strategy to
address that risk, and creating an environment
that better manages risk overall.

This article originally appeared in the May 2018 issue of Security Today.